Clamwin 0.95.1 is flagging all JobAlert emails from Dice.com ( sender jobs@dice.com ) with the following info:

Warning: This message has had one or more attachments removed
Warning: (The entire message).
Warning: Please read the "Mail-Filter-Gateway-Attachment-Warning.txt" attachment(s) for more information.

This is a message from the MailFilterGateway E-Mail Virus Protection Service
----------------------------------------------------------------------
The original e-mail attachment "The entire message"
was believed to be dangerous and/or infected by a virus and has been replaced by this warning message.

At Fri May 22 02:47:09 2009 the scanner said:
message was infected: Phishing.Heuristics.Email.SpoofedDomain FOUND

I'm using Outlook 2002 ( 10.6838.6845 ) SP3 on Windows XP SP3.

Since Clamwin seems to have simply deleted the email message ( there's nothing in the quarantine folder ), I am unable to attach the triggering message and send it to you via your automated false-positive reporting system.

GuitarBob

Joined: 09 Jul 2006

Posts: 4410

Location: USA

Posted: Fri May 22, 2009 6:28 pm

Are you using Clam Antivirus or ClamWin Antivirus? This is the forums for ClamWin. Clam Antivirus does provide the scanning engine and signature database used by ClamWin Antivirus. You should report false positives for both of these antiviruses to Clam Antivirus at its submission page starting at http://www.clamav.net/sendvirus/ on the web. If you are reporting a false positive, be sure to fill in the false positive designation, and tell them the exact name of the false positive virus.

Clam will need a copy of any file that has a false positive detection in order to verify it and to help them prepare a signature that will exclude that file. If you are using ClamWin, perhaps you could change ClamWin's detection option to Report Only and capture the file for submission to Clam. They get some false positives on Spoofed Domains, but it seems to me that any email with a spoofed domain is suspect. Why would anyone spoof a domain if they are legitimate?